Skip to end of banner Go to start of banner

cloud.aws.firewall

Skip to end of metadata

Created by Juan Tomás Alonso Nieto on May 22, 2023

Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Introduction

The tags beginning with cloud.aws.firewall identify events generated by AWS Network Firewall.

Valid tags and data tables

The full tag must have 4 levels. The first 3 are fixed as cloud.aws.firewall. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables
AWS Network Firewall	`cloud.aws.firewall.alert`	`cloud.aws.firewall.alert`
AWS Network Firewall	`cloud.aws.firewall.netflow`	`cloud.aws.firewall.netflow`

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

cloud.aws.firewall.alert
cloud.aws.firewall.netflow

cloud.aws.firewall.alert

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
ACCID	`str`
REGION	`str`
firewall_name	`str`
availability_zone	`str`
event_timestamp	`str`
event__timestamp	`str`
event__flow_id	`int8`
event__event_type	`str`
event__src_ip	`ip4`
event__src_port	`int4`
event__dest_ip	`ip4`
event__dest_port	`int4`
event__proto	`str`
event__tx_id	`int4`
event__alert__action	`str`
event__alert__signature_id	`int4`
event__alert__rev	`int4`
event__alert__signature	`str`
event__alert__category	`str`
event__alert__severity	`int4`
event__http__hostname	`str`
event__http__url	`str`
event__http__http_user_agent	`str`
event__http__http_method	`str`
event__http__protocol	`str`
event__http__length	`int4`
event__app_proto	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

cloud.aws.firewall.netflow

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
ACCID	`str`
REGION	`str`
firewall_name	`str`
availability_zone	`str`
event_timestamp	`str`
event__timestamp	`str`
event__flow_id	`int8`
event__event_type	`str`
event__src_ip	`ip4`
event__src_port	`int4`
event__dest_ip	`ip4`
event__dest_port	`int4`
event__proto	`str`
event__netflow__pkts	`int4`
event__netflow__bytes	`int4`
event__netflow__start	`str`
event__netflow__end	`str`
event__netflow__age	`int4`
event__netflow__min_ttl	`int4`
event__netflow__max_ttl	`int4`
event__tcp__tcp_flags	`str`
event__tcp__syn	`bool`
event__tcp__ecn	`bool`
event__tcp__cwr	`bool`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

No labels